在 ESX 主机上,请按照以下步骤对 NSX distributed firewall (DFW) 数据路径问题进行故障排除。如需了解更多防火墙故障排除命令,请参见 NSX 命令行界面参考。
获取 ESXi 主机上的虚拟机列表以及关联的筛选器名称
这会列出该 ESXi 主机上的所有虚拟机。记下“name”字段的值,并在后续命令中使用该值以获取给定虚拟机的相关输出。
[root@esxcomp-2a:~] summarize-dvfilter | grep -A 3 vmm world 1371516 vmm0:PROD-MRS-DB-01 vcUuid:'50 20 92 e1 11 b7 10 d3-56 c5 e0 da 46 87 b5 d2' port 67108881 PROD-MRS-DB-01.eth0 vNic slot 2 name: nic-1371516-eth0-vmware-sfw.2 -- world 1622816 vmm0:DEV-MRS-DB-01 vcUuid:'50 2d f3 a3 96 a4 f4 94-6e 55 84 85 c1 bd 05 2c' port 67108883 DEV-MRS-DB-01.eth0 vNic slot 2 name: nic-1622816-eth0-vmware-sfw.2 -- world 7014985 vmm0:PROD-MRS-APP-01 vcUuid:'50 20 9b 5f cd b7 43 de-ab bb 8d 0e f5 bb ca 99' port 67108895 PROD-MRS-APP-01.eth0 vNic slot 2 name: nic-7014985-eth0-vmware-sfw.2 -- world 7022287 vmm0:PROD-MRS-APP-02 vcUuid:'50 20 4a 44 17 fb 21 cf-fb 62 1e a3 d0 3c 7d cf' port 67108896 PROD-MRS-APP-02.eth0 vNic slot 2 name: nic-7022287-eth0-vmware-sfw.2 [root@esxcomp-2a:~]
获取应用于虚拟机的防火墙规则
从上面的输出中,使用与虚拟机关联的筛选器名称以获取应用于该虚拟机的 vNIC 的所有防火墙规则。
[root@esxcomp-2a:~] vsipioctl getrules -f nic-7014985-eth0-vmware-sfw.2
ruleset mainrs {
# generation number: 0
# realization time : 2020-12-16T23:41:30
# PRE_FILTER rules
rule 5134 at 1 inout protocol any from addrset d8e7adac-af3b-4f22-9785-0cc30f0e81b1 to addrset d8e7adac-af3b-4f22-9785-0cc30f0e81b1 accept with log tag 'ipv6-app-allow';
rule 5133 at 2 inout protocol any from any to any accept with log tag 'ipv6-app-deny-default';
rule 5132 at 3 inout inet protocol icmp from any to addrset 9b14a216-4318-4bb1-94b0-56dfedec6f24 accept with log tag 'icmp-test';
rule 5132 at 4 inout inet protocol tcp strict from any to addrset 9b14a216-4318-4bb1-94b0-56dfedec6f24 port 22 accept with log tag 'icmp-test';
rule 5132 at 5 inout inet protocol ipv6-icmp from any to addrset 9b14a216-4318-4bb1-94b0-56dfedec6f24 accept with log tag 'icmp-test';
rule 5130 at 6 inout inet protocol icmp from any to addrset rdst5130 accept with log tag 'icmp-test-gb-default';
rule 5130 at 7 inout inet protocol ipv6-icmp from any to addrset rdst5130 accept with log tag 'icmp-test-gb-default';
# FILTER (APP Category) rules
rule 5102 at 1 inout protocol any from addrset rsrc5102 to addrset d19f38e1-c13e-4fbb-9d6b-b6971f251e2d accept;
rule 5126 at 2 in protocol any from addrset rsrc5127 to addrset d19f38e1-c13e-4fbb-9d6b-b6971f251e2d accept;
rule 5127 at 3 out protocol any from addrset rsrc5127 to addrset d19f38e1-c13e-4fbb-9d6b-b6971f251e2d accept;
rule 5128 at 4 out protocol any from addrset rsrc5128 to addrset rdst5128 accept;
rule 5129 at 5 in protocol any from addrset rsrc5128 to addrset 98abd76f-351b-4a4a-857f-1d91416b0798 accept;
rule 5103 at 6 in protocol any from addrset rsrc5128 to addrset b1ed4d3d-ab4c-4bab-999b-a50642cad495 accept;
rule 5135 at 7 inout protocol any from any to any with attribute profile acf76e7d-400b-438b-966f-8d5c10bebbda accept;
rule 5135 at 8 inout protocol any from any to any with attribute profile 88dc6bf0-808e-49f6-a692-dd0e5cee6ab3 accept;
rule 5124 at 9 inout protocol any from any to any with attribute profile 8774c654-0f9e-43ad-a803-4aa720e590cf accept;
rule 5123 at 10 inout protocol any from any to any with attribute profile 13e599b5-dd2d-420f-8473-9d45f0d324ac accept;
rule 5125 at 11 inout protocol any from any to any with attribute profile e4be8d7e-e4ab-4466-8f2e-998445ead95d accept;
rule 2 at 12 inout protocol any from any to any drop with log tag 'icmp-default-rule';
}
ruleset mainrs_L2 {
# generation number: 0
# realization time : 2020-12-16T23:41:30
# FILTER rules
rule 1 at 1 inout ethertype any stateless from any to any accept;
}
[root@esxcomp-2a:~]
获取每个虚拟机 vNIC 的每个防火墙规则的统计信息
在上面的命令中使用“-s”以获取与虚拟机防火墙规则关联的防火墙统计信息。
[root@esxcomp-2a:~] vsipioctl getrules -f nic-7014985-eth0-vmware-sfw.2 -s
ruleset mainrs {
# PRE_FILTER rules
rule 5134 at 1, 68 evals, 68 hits, 68 sessions, in 1120 out 1120 pkts, in 113952 out 114184 bytes
rule 5133 at 2, 24 evals, 24 hits, 24 sessions, in 16 out 8 pkts, in 896 out 768 bytes
rule 5132 at 3, 0 evals, 0 hits, 0 sessions, in 0 out 0 pkts, in 0 out 0 bytes
rule 5132 at 4, 0 evals, 0 hits, 0 sessions, in 0 out 0 pkts, in 0 out 0 bytes
rule 5132 at 5, 0 evals, 0 hits, 0 sessions, in 0 out 0 pkts, in 0 out 0 bytes
rule 5130 at 6, 0 evals, 0 hits, 0 sessions, in 0 out 0 pkts, in 0 out 0 bytes
rule 5130 at 7, 0 evals, 0 hits, 0 sessions, in 0 out 0 pkts, in 0 out 0 bytes
# FILTER (APP Category) rules
rule 5102 at 1, 0 evals, 0 hits, 0 sessions, in 0 out 0 pkts, in 0 out 0 bytes
rule 5126 at 2, 0 evals, 0 hits, 0 sessions, in 0 out 0 pkts, in 0 out 0 bytes
rule 5127 at 3, 0 evals, 0 hits, 0 sessions, in 0 out 0 pkts, in 0 out 0 bytes
rule 5128 at 4, 0 evals, 0 hits, 0 sessions, in 0 out 0 pkts, in 0 out 0 bytes
rule 5129 at 5, 0 evals, 0 hits, 0 sessions, in 0 out 0 pkts, in 0 out 0 bytes
rule 5103 at 6, 0 evals, 0 hits, 0 sessions, in 0 out 0 pkts, in 0 out 0 bytes
rule 5135 at 7, 92 evals, 0 hits, 0 sessions, in 0 out 0 pkts, in 0 out 0 bytes
rule 5135 at 8, 92 evals, 0 hits, 0 sessions, in 0 out 0 pkts, in 0 out 0 bytes
rule 5124 at 9, 92 evals, 0 hits, 0 sessions, in 0 out 0 pkts, in 0 out 0 bytes
rule 5123 at 10, 92 evals, 0 hits, 0 sessions, in 0 out 0 pkts, in 0 out 0 bytes
rule 5125 at 11, 92 evals, 0 hits, 0 sessions, in 0 out 0 pkts, in 0 out 0 bytes
rule 2 at 12, 92 evals, 0 hits, 0 sessions, in 0 out 0 pkts, in 0 out 0 bytes
}
ruleset mainrs_L2 {
# FILTER rules
rule 1 at 1, 0 evals, 0 hits, 0 sessions, in 0 out 0 pkts, in 0 out 0 bytes
}
[root@esxcomp-2a:~]
获取虚拟机防火墙规则中使用的地址集/组
防火墙规则在源或目标中使用组/地址集。该输出根据分组配置获取规则中使用的所有地址集。
[root@esxcomp-2a:~] vsipioctl getaddrset -f nic-1371516-eth0-vmware-sfw.2
addrset is shared for this filter
global addrset
addrset 98abd76f-351b-4a4a-857f-1d91416b0798 {
ip 7.7.7.7,
ip 8.8.8.8,
}
addrset 9b14a216-4318-4bb1-94b0-56dfedec6f24 {
ip 10.1.0.0,
ip 10.2.0.2,
ip 10.114.217.26,
ip 172.16.202.2,
ip 172.16.202.22,
ip 192.168.202.2,
ip 2001::172:16:202:2,
ip 2001::172:16:202:22,
mac 00:50:56:a0:0e:25,
mac 00:50:56:a0:26:dc,
mac 00:50:56:a0:2d:c0,
mac 00:50:56:a0:8d:90,
}
addrset b1ed4d3d-ab4c-4bab-999b-a50642cad495 {
ip 7.7.7.7,
ip 8.8.8.8,
}
addrset d19f38e1-c13e-4fbb-9d6b-b6971f251e2d {
ip 3.3.3.3,
ip 4.4.4.4,
}
addrset d8e7adac-af3b-4f22-9785-0cc30f0e81b1 {
ip 172.16.202.2,
ip 172.16.202.22,
ip 2001::172:16:202:2,
ip 2001::172:16:202:22,
mac 00:50:56:a0:26:dc,
mac 00:50:56:a0:8d:90,
}
addrset rdst5128 {
ip 3.3.3.3,
ip 4.4.4.4,
ip 7.7.7.7,
ip 8.8.8.8,
}
addrset rdst5130 {
ip 1.1.1.1,
ip 1.1.1.2,
ip 100.100.100.100,
}
addrset rsrc5102 {
ip 1.1.1.1,
ip 1.1.1.2,
}
addrset rsrc5127 {
ip 1.1.1.1,
ip 1.1.1.2,
ip 3.3.3.3,
ip 4.4.4.4,
}
addrset rsrc5128 {
ip 1.1.1.1,
ip 1.1.1.2,
ip 3.3.3.3,
ip 4.4.4.4,
ip 7.7.7.7,
ip 8.8.8.8,
}
local addrset
No address sets.
[root@esxcomp-2a:~]
获取每个虚拟机的活动防火墙流量
NSX DFW 保留每个 vNIC 的活动流量。该输出获取该 vNIC 上的所有活动流量。
[root@esxcomp-2a:~] vsipioctl getflows -f nic-7014985-eth0-vmware-sfw.2 Count retrieved from kernel active=6, inactive=0, drop=0 ecbd448200000001 Active ipv6-icmp 86dd IN 5134 0 0 2001::172:16:202:22 -> 2001::172:16:202:2 128 0 1039376 1039376 9994 9994 tmo 9 ecbd4482000000b9 Active tcp 0800 OUT 5134* 0 0 (est) 172.16.202.2:Unknown(39914) -> 172.16.202.22:ssh(22) 305 EST:EST rtt 21020 retrans 0/0 4409 3725 23 25 tmo 43195 ecbd4482000000ba Active ipv6-icmp 86dd OUT 5134* 0 0 fe80::250:56ff:fea0:8d90 -> 2001::172:16:202:22 135 0 64 72 1 1 ecbd4482000000bb Active igmp 0800 IN 5133* 0 0 (D) 0.0.0.0 -> 224.0.0.1 36 0 1 0 tmo 51 ecbd4482000000bc Active ipv6-icmp 86dd IN 5133* 0 0 (D) fe80::ffff:ffff:ffff:ffff -> ff02::1 130 0 76 0 1 0 tmo 11 ecbd4482000000bd Active ipv6-icmp 86dd OUT 5133* 0 0 (D) fe80::250:56ff:fea0:8d90 -> ff02::16 143 0 0 96 0 1 tmo 11 [root@esxcomp-2a:~]
获取每个虚拟机的活动完整防火墙配置
该输出提供每个 vNIC 的完整防火墙配置 - 使用的规则、地址集和配置文件。
[root@esxcomp-2a:~] vsipioctl getfwconfig -f nic-7014985-eth0-vmware-sfw.2
ruleset mainrs {
# generation number: 0
# realization time : 2020-12-16T23:41:30
# PRE_FILTER rules
rule 5134 at 1 inout protocol any from addrset d8e7adac-af3b-4f22-9785-0cc30f0e81b1 to addrset d8e7adac-af3b-4f22-9785-0cc30f0e81b1 accept with log tag 'ipv6-app-allow';
rule 5133 at 2 inout protocol any from any to any accept with log tag 'ipv6-app-deny-default';
rule 5132 at 3 inout inet protocol icmp from any to addrset 9b14a216-4318-4bb1-94b0-56dfedec6f24 accept with log tag 'icmp-test';
rule 5132 at 4 inout inet protocol tcp strict from any to addrset 9b14a216-4318-4bb1-94b0-56dfedec6f24 port 22 accept with log tag 'icmp-test';
rule 5132 at 5 inout inet protocol ipv6-icmp from any to addrset 9b14a216-4318-4bb1-94b0-56dfedec6f24 accept with log tag 'icmp-test';
rule 5130 at 6 inout inet protocol icmp from any to addrset rdst5130 accept with log tag 'icmp-test-gb-default';
rule 5130 at 7 inout inet protocol ipv6-icmp from any to addrset rdst5130 accept with log tag 'icmp-test-gb-default';
# FILTER (APP Category) rules
rule 5102 at 1 inout protocol any from addrset rsrc5102 to addrset d19f38e1-c13e-4fbb-9d6b-b6971f251e2d accept;
rule 5126 at 2 in protocol any from addrset rsrc5127 to addrset d19f38e1-c13e-4fbb-9d6b-b6971f251e2d accept;
rule 5127 at 3 out protocol any from addrset rsrc5127 to addrset d19f38e1-c13e-4fbb-9d6b-b6971f251e2d accept;
rule 5128 at 4 out protocol any from addrset rsrc5128 to addrset rdst5128 accept;
rule 5129 at 5 in protocol any from addrset rsrc5128 to addrset 98abd76f-351b-4a4a-857f-1d91416b0798 accept;
rule 5103 at 6 in protocol any from addrset rsrc5128 to addrset b1ed4d3d-ab4c-4bab-999b-a50642cad495 accept;
rule 5135 at 7 inout protocol any from any to any with attribute profile acf76e7d-400b-438b-966f-8d5c10bebbda accept;
rule 5135 at 8 inout protocol any from any to any with attribute profile 88dc6bf0-808e-49f6-a692-dd0e5cee6ab3 accept;
rule 5124 at 9 inout protocol any from any to any with attribute profile 8774c654-0f9e-43ad-a803-4aa720e590cf accept;
rule 5123 at 10 inout protocol any from any to any with attribute profile 13e599b5-dd2d-420f-8473-9d45f0d324ac accept;
rule 5125 at 11 inout protocol any from any to any with attribute profile e4be8d7e-e4ab-4466-8f2e-998445ead95d accept;
rule 2 at 12 inout protocol any from any to any drop with log tag 'icmp-default-rule';
}
ruleset mainrs_L2 {
# generation number: 0
# realization time : 2020-12-16T23:41:30
# FILTER rules
rule 1 at 1 inout ethertype any stateless from any to any accept;
}
addrset is shared for this filter
global addrset
addrset 98abd76f-351b-4a4a-857f-1d91416b0798 {
ip 7.7.7.7,
ip 8.8.8.8,
}
addrset 9b14a216-4318-4bb1-94b0-56dfedec6f24 {
ip 10.1.0.0,
ip 10.2.0.2,
ip 10.114.217.26,
ip 172.16.202.2,
ip 172.16.202.22,
ip 192.168.202.2,
ip 2001::172:16:202:2,
ip 2001::172:16:202:22,
ip fe80::250:56ff:fea0:26dc,
ip fe80::250:56ff:fea0:8d90,
mac 00:50:56:a0:0e:25,
mac 00:50:56:a0:26:dc,
mac 00:50:56:a0:2d:c0,
mac 00:50:56:a0:8d:90,
}
addrset b1ed4d3d-ab4c-4bab-999b-a50642cad495 {
ip 7.7.7.7,
ip 8.8.8.8,
}
addrset d19f38e1-c13e-4fbb-9d6b-b6971f251e2d {
ip 3.3.3.3,
ip 4.4.4.4,
}
addrset d8e7adac-af3b-4f22-9785-0cc30f0e81b1 {
ip 172.16.202.2,
ip 172.16.202.22,
ip 2001::172:16:202:2,
ip 2001::172:16:202:22,
ip fe80::250:56ff:fea0:26dc,
ip fe80::250:56ff:fea0:8d90,
mac 00:50:56:a0:26:dc,
mac 00:50:56:a0:8d:90,
}
addrset rdst5128 {
ip 3.3.3.3,
ip 4.4.4.4,
ip 7.7.7.7,
ip 8.8.8.8,
}
addrset rdst5130 {
ip 1.1.1.1,
ip 1.1.1.2,
ip 100.100.100.100,
}
addrset rsrc5102 {
ip 1.1.1.1,
ip 1.1.1.2,
}
addrset rsrc5127 {
ip 1.1.1.1,
ip 1.1.1.2,
ip 3.3.3.3,
ip 4.4.4.4,
}
addrset rsrc5128 {
ip 1.1.1.1,
ip 1.1.1.2,
ip 3.3.3.3,
ip 4.4.4.4,
ip 7.7.7.7,
ip 8.8.8.8,
}
local addrset
No address sets.
containers are shared for this filter
global containers
container 13e599b5-dd2d-420f-8473-9d45f0d324ac {
# generation number: 21208
# realization time : 2020-12-16T23:41:30
FQDN : login\.microsoft\.com(3940c0d7-cbfc-abbb-35b4-786fc4199684),
}
container 8774c654-0f9e-43ad-a803-4aa720e590cf {
# generation number: 21208
# realization time : 2020-12-16T23:41:30
FQDN : outlook\.office365\.com(6e465c1d-7d81-9672-00e1-76ddfc280b8b),
}
container 88dc6bf0-808e-49f6-a692-dd0e5cee6ab3 {
# generation number: 21208
# realization time : 2020-12-16T23:41:30
APP_ID : APP_360ANTIV,
}
container acf76e7d-400b-438b-966f-8d5c10bebbda {
# generation number: 21208
# realization time : 2020-12-16T23:41:30
APP_ID : APP_ACTIVDIR,
}
container e4be8d7e-e4ab-4466-8f2e-998445ead95d {
# generation number: 21208
# realization time : 2020-12-16T23:41:30
FQDN : play\.google\.com(c44ef0fc-a922-eb1b-f155-4f0625271198),
}
local containers
No containers.
[root@esxcomp-2a:~]
用于防火墙故障排除的其他输出
除了上面的命令选项以外,NSX 还允许使用其他选项以在 ESX 上调试 NSX 防火墙数据路径。请使用帮助菜单,如下所示。
[root@esxcomp-2a:~] vsipioctl -h
Usage: help <cmd> <options>
below is a list of available cmd:
getfilters : get list of filters
getfwconfig : get rules, addrsets and containers of a filter
getrules : get rules of a filter
getaddrsets : get addrsets of a filter
getcontainers : get containers of a filter
getspoofguard : get spoofguard setting of a filter
getflows : get flows of a filter
getconncount : get active connection count
getconnections : get active connections
getsisvmstats : get service insertion service VM stats
getsisvctable : dump service insertion service table
getsinshtable : display service insertion nsh table
getsiproxytable : display service insertion proxy table
getsifailedspis : get service insertion failed spi table
getsiflowprogtable : get service insertion flow programming table
getsislotid : get service insertion slot id
getsilbenablestatus: get service insertion load balance enable status
getmeminfo : get meminfo data
initvsiplogging : init vsip logger
getfqdnentries : get fqdn entries
getdnsconfigprofile : get dns config profile for a filter
getfilterstat : get statistics of a filter
gettimeout : get connection timeout setting of a filter
getfloodstat : get flood protection status
getsidcache : get sid cache of a filter
help : this help message
run `vsipioctl <cmd> -h' to find out available options of a cmd.
[root@esxcomp-2a:~]
用于防火墙故障排除的 NSX CLI
在 ESXi 上,可以键入“nsxcli”以将 nsxcli 选项作为 ESX cli 的替代选项,用户可以使用“get firewall”命令树以获取与上面类似的输出。
[root@esxcomp-2a:~] nsxcli
esxcomp-2a.dg.vsphere.local>
esxcomp-2a.dg.vsphere.local> get firewall
% Command not found: get firewall
Possible alternatives:
get firewall <vifuuid> addrsets
get firewall <vifuuid> profile
get firewall <vifuuid> ruleset rules
get firewall exclusion
get firewall ipfix-containers
get firewall ipfix-filters
get firewall ipfix-profiles
get firewall ipfix-stats
get firewall packetlog
get firewall packetlog last <lines>
get firewall rule-stats
get firewall rule-stats total
get firewall status
get firewall thresholds
get firewall vifs
esxcomp-2a.dg.vsphere.local> get firewall packetlog last 10
Wed Dec 16 2020 UTC 23:53:55.693
2020-12-16T23:53:23.878Z fd2e9266 INET6 match PASS 5134 OUT 72 ICMP fe80::250:56ff:fea0:8d90->fe80::250:56ff:fea0:26dc ipv6-app-allow
2020-12-16T23:53:23.878Z 5f46e9b1 INET6 match PASS 5134 IN 72 ICMP fe80::250:56ff:fea0:8d90->fe80::250:56ff:fea0:26dc ipv6-app-allow
2020-12-16T23:53:29.234Z fd2e9266 INET6 TERM 5134 OUT ICMP 135 0 fe80::250:56ff:fea0:8d90->2001::172:16:202:22 1/1 72/64 ipv6-app-allow
2020-12-16T23:53:29.234Z 5f46e9b1 INET6 TERM 5134 IN ICMP 135 0 fe80::250:56ff:fea0:8d90->2001::172:16:202:22 1/1 72/64 ipv6-app-allow
2020-12-16T23:53:30.234Z fd2e9266 INET6 TERM 5134 IN ICMP 135 0 fe80::250:56ff:fea0:26dc->fe80::250:56ff:fea0:8d90 1/1 72/64 ipv6-app-allow
2020-12-16T23:53:30.234Z 5f46e9b1 INET6 TERM 5134 OUT ICMP 135 0 fe80::250:56ff:fea0:26dc->fe80::250:56ff:fea0:8d90 1/1 72/64 ipv6-app-allow
2020-12-16T23:53:35.239Z fd2e9266 INET6 TERM 5134 OUT ICMP 135 0 fe80::250:56ff:fea0:8d90->fe80::250:56ff:fea0:26dc 1/1 72/64 ipv6-app-allow
2020-12-16T23:53:35.241Z 5f46e9b1 INET6 TERM 5134 IN ICMP 135 0 fe80::250:56ff:fea0:8d90->fe80::250:56ff:fea0:26dc 1/1 72/64 ipv6-app-allow
2020-12-16T23:53:51.876Z fd2e9266 INET6 match PASS 5134 OUT 72 ICMP fe80::250:56ff:fea0:8d90->2001::172:16:202:22 ipv6-app-allow
2020-12-16T23:53:51.876Z 5f46e9b1 INET6 match PASS 5134 IN 72 ICMP fe80::250:56ff:fea0:8d90->2001::172:16:202:22 ipv6-app-allow
esxcomp-2a.dg.vsphere.local> get firewall exclusion
Wed Dec 16 2020 UTC 23:53:57.731
Firewall Exclusion
----------------------------------------------------------------------
Exclusion count: 7
00894e3c-8948-4b6b-a4cd-acd3a2c21205
15f077e9-4492-4391-9f63-a99b6c978003
2936443e-128c-4b6d-9fcf-3b2fad778b08
3602f84a-8333-44f3-a3c2-e04fbf5e848f
8149b7ec-553d-48e1-af04-1ee2f5ae266e
d615679c-092e-4bfe-8c17-803fe8b3315d
da619e9d-48a0-4c82-a831-bf580d3bec05
esxcomp-2a.dg.vsphere.local> get firewall thresholds
Wed Dec 16 2020 UTC 23:53:59.905
Firewall Threshold Monitors
-------------------------------------------------------------------------------------------
# Name Raised Threshold CurrValue CurrSize MaxSize PeakEver EverTime(ago)
1 dfw-cpu False 60 0 -- -- 0 --:--:--
2 vsip-attr False 60 3 4 MB 128 MB 3 4d 23:35:06
3 vsip-flow False 60 0 0 MB 312 MB 0 --:--:--
4 vsip-fprules False 60 0 0 MB 128 MB 0 --:--:--
5 vsip-fqdn False 60 0 0 MB 128 MB 0 --:--:--
6 vsip-module False 60 15 153 MB 1024 MB 15 4d 23:35:06
7 vsip-rules False 60 0 0 MB 512 MB 0 --:--:--
8 vsip-si False 60 0 0 MB 128 MB 0 --:--:--
9 vsip-state False 60 0 0 MB 384 MB 0 --:--:--
esxcomp-2a.dg.vsphere.local>
DFW L2 规则显示未知的 MAC 地址
配置第 2 层防火墙规则(将一个 MAC 集为源,将另一个 MAC 集为目标)后,主机上的 getrules 命令将目标 MAC 设置显示为 01:00:00:00:00:00/01:00:00:00:00:00。例如,
[root@host1:~] vsipioctl getrules -f nic-1000052822-eth1-vmware-sfw.2
ruleset mainrs {
# generation number: 0
# realization time : 2018-07-26T12:42:28
rule 1039 at 1 inout protocol tcp from any to any port 1521 accept as oracle;
# internal # rule 1039 at 2 inout protocol tcp from any to any port 1521 accept;
rule 1039 at 3 inout protocol icmp from any to any accept;
rule 2 at 4 inout protocol any from any to any accept with log;
}
ruleset mainrs_L2 {
# generation number: 0
# realization time : 2018-07-26T12:42:28
rule 1040 at 1 inout ethertype any stateless from addrset d83a1523-0d07-4b18-8a5b-77a634540b57 to addrset 9ad9c6ef-c7dd-4682-833d-57097b415e41 accept;
# internal # rule 1040 at 2 in ethertype any stateless from addrset d83a1523-0d07-4b18-8a5b-77a634540b57 to addrset 9ad9c6ef-c7dd-4682-833d-57097b415e41 accept;
# internal # rule 1040 at 3 out ethertype any stateless from addrset d83a1523-0d07-4b18-8a5b-77a634540b57 to mac 01:00:00:00:00:00/01:00:00:00:00:00 accept;
rule 1 at 4 inout ethertype any stateless from any to any accept;
}
地址为 01:00:00:00:00:00/01:00:00:00:00:00 的内部出站规则是按照设计创建的,用于处理出站广播数据包,因此并不表示存在问题。防火墙规则将按配置运行。
